Renewing that pesky “Microsoft Exchange” certificate


You know the one I am taking about. The self-signed certificate with a friendly name of “Microsoft Exchange” that each server issues by itself to itself. They are valid for 5 years , then suddenly, they are not. When on-premises was king, you rarely saw any questions about these. They just worked – and as companies upgraded, new ones were created on the new version servers, mailboxes were moved and the old certificates disappeared as the servers were retired.

Today, as more migrate to Exchange Online, these old 2010/2013 servers seem to be kept around longer during the migration,  frozen in time and are now bumping into that 5 year certificate lifetime.

So why renew it? It doesn’t appear to be doing anything. Well Sir or Madam, that is the certificate bound to the “Exchange Back End”  IIS site and essentially secures all the internal communications. 


If it expires, you could start experiencing the following side effects:


Dry Mouth

Exchange Powershell errors

Inability to open EAC

Errors in the event logs such as :

event log errors

See that :444? That’s the backed port number 


To fix: 

First, simply renew the certificate. You can do this in Powershell or EAC by highlighting the “Microsoft Exchange” certificate and clicking Renew.

Second, you’ll want the server itself to trust this new self-signed certificate. Nicely enough, the original Exchange setup program does this for you. When you renew the self-signed certificate, not so much. Once that new certificate is created, open MMC and add the Certificates snap-in on that server. From there, choose the “Computer Account” and then “Local Computer”. 

Copy the new certificate from Personal/Certificates to Trusted Root Certificate Authorities/Certificates. If you access the properties on the new certificate and go to the “Certification Path” tab, it should show as OK.

Third, add the new certificate to the Back-end Binding and run IISRESET.

From the article I first linked above. Do the following:


  • Start IIS Manager on the Mailbox Server.
  • Expand Site, highlight Exchange Back End, and select Bindings from the Actions pane in the right side column.
  • Select Type https on Port 444.
  • Click Edit and select the Microsoft Exchange certificate.
  • From an administrator command prompt, run IISReset. ( Do this off-hours if this a standalone Exchange Server. If you are using a DAG, then move all the databases to other servers and have at it)


You’ll go from this:


To this:


You are done for another 5 years. 






Published by adavid6

Grumpy Old Exchange MVP. My old site was lost: I have been an Exchange MVP since 2002. I also had the honor of naming “You had me at EHLO” for the Exchange Product Group Blog way back in the early 2000s. I attempt to answer forum questions on TechNet: and can be found on Twitter: Reddit: Microsoft Tech Community:

3 thoughts on “Renewing that pesky “Microsoft Exchange” certificate

  1. Absolutely perfect article, I spoke to MS twice to ensure I didn’t create an outage, sure enough their process was way off. I followed the above article and it worked perfectly. Thank you!

    Liked by 1 person

  2. This is the best post i have seen in a while! After trying 20 different solutions that didn’t work, your post helped me solve the problem in 5 minutes! You, my sir, are a genius! Than you a million times!


  3. Thanks for the procedure. One word of warning; when I did this, it removed the IIS service from my public SSL cert and of course, because of that, was giving certificate errors when trying to log into OWA or ECP.

    Quick fix by reassigning IIS to the public cert, but wanted to mention it.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: